Subscribe

Friday, April 23, 2010

"One day after being profiled by the New York Times, the social buying site, Blippy, is finding out that being in the public eye cuts in both directions.

"The six-month-old site lets users link their credit cards and e-commerce accounts and share that information with friends and even strangers on their purchases. The venture capitalists seem to be intrigued. Blippy has raised $11.2 million in funding from August Capital and Charles River Ventures.

"But there are limits to sharing private data - especially when it's not done voluntarily. Some sleuths have found they can use Google to come up with the credit card numbers of Blippy users."

"Early Wednesday, McAfee released a flawed signature update that wrongly tagged a crucial system file in Windows XP Service Pack 3 (SP3) as malware. After the software quarantined the `svchost.exe` file, thousands of PCs, most of them in businesses, crashed and rebooted repeatedly.

"Firms are still dealing with the aftermath, with some companies forced to manually reconfigure hundreds or even thousands of systems.

"The debacle made news not just in the technical press, but in more mainstream outlets, including the New York Times and USA Today.

"And news is scammers' bread and butter. Using their now-traditional technique of poisoning results at majorsearch engines like Google and Bing, `scareware` makers have pushed links touting fake antivirus software to at or near the top of the results lists, said Graham Closely, senior technology consultant with Sophos.

Wednesday, April 21, 2010

"PCs across the country rebooted continuously Wednesday, in a mass outbreak reminiscent of the widespread computer viruses from a decade ago. The cause this time wasn’t a virus, however, but a glitch on the part of a company that’s supposed to stop such malicious programs.

"Security company McAfee Wednesday morning issued a software update intended to give the computers that it’s contracted to protect a new list of malicious files to block and delete. Somehow a file that is part of Microsoft’s Windows operating system made it on to the list. And when McAfee’s software deleted this file, all hell broke loose.

"People all over the country reported that their computers stopped working. Among the victimized organization were a hospital in Rhode Island, police in Kentucky and the National Science Foundation, according to the AP.

"Jamal Mazhar, who runs LodgeXcode Inc., a consulting firm for hotels, says his computer and others in his office have been rebooting since morning. His tech staff downloaded a fix, but hasn’t yet been able to get the computers working again. `We’re down hard,` he says.

"McAfee said in a statement that the company was `not aware of significant impact on consumers.` In terms of numbers, it said the incident impacted less than `one half of one percent` of its consumer base and enterprise accounts globally."

Friday, April 16, 2010

"The Zeus botnet is now using an unpatched flaw in Adobe's PDF document format to infect users with malicious code, security researchers said today.

"The attacks come less than a week after other experts predicted that hackers would soon exploit the `/Launch` design flaw in PDF documents to install malware on unsuspecting users' computers.

"The just-spotted Zeus variant uses a malicious PDF file that embeds the attack code in the document, said Dan Hubbard, CTO of San Diego, Calif.-based security company Websense. When users open the rogue PDF, they're asked to save a PDF file called `Royal_Mail_Delivery_Notice.pdf.` That file, however, is actually a Windows executable that when it runs, hijacks the PC.

"Zeus is the first major botnet to exploit a PDF's /Launch feature, which is, strictly speaking, not a security vulnerability but actually a by-design function of Adobe's specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how a multistage attack using /Launch could successfully exploit a fully-patched copy of Adobe Reader or Acrobat..."

Thursday, April 15, 2010

"Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.

"The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.

"Other researchers noted Oracle's turnaround today. `So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure,` said noted browser researcher Alexander Sotirov, also on Twitter..."

"Just five days after a Google researcher published information of an unpatched Java bug, a compromised song lyrics site is sending users to a Russian attack server exploiting the flaw to install malware, an antivirus firm said today.

"Last Friday, Google's Tavis Ormandy posted details of the Java vulnerability to the Full Disclosure security mailing list, spelling out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. According to Ormandy, all versions of Java for Windows since SE 6 update 10 -- which debuted two years ago -- are vulnerable. Other operating systems running Java are unaffected, he said...

"Although Ormandy reported the flaw to Sun -- now part of Oracle -- he said the company declined to rush out a patch. `They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle,` Ormandy wrote on the mailing list. `I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.`

"Oracle patched Java last week; its next regularly-scheduled update is slated for July."

Tuesday, April 13, 2010

"For all the credit Facebook has received for its privacy controls and user safety, the site still falls prey to an unsettling number of security issues and potential data breaches. Last month a botched code push accidentally revealed private user email addresses, and before that Facebook accidentally sent private messages to the wrong recipients. Today, security engineer Joey Tyson, AKA theharmonyguy, has detailed a major security hole in Facebook Platform — one that would allow a malicious website to silently access a user’s profile information, photos, and in some cases, messages and wall posts, with no action required on the user’s part..."

"Two California women have sued security company McAfee, accusing it of duping customers into subscribing to third-party services and passing consumers' credit or debit card information to the service supplier without their permission.

"The lawsuit, which was filed by Melissa Ferrington and Cheryl Schmidt, asked a San Francisco federal court to grant the case class-action status, and demanded that McAfee be barred from continuing the practice. The pair also asked for compensatory and punitive damages, which would be decided at trial.

"When customers purchase McAfee security software online, but before the download beings, a pop-up with a large "Try It Now" button appears.

"`The pop-up, mimicking the look of the other pages on the McAfee site, thanks the customer for purchasing McAfee software, and prompts McAfee's customers to click a red button to 'Try it Now,'` the lawsuit alleged.

"`The pop-up contains no obvious visual cues or conspicuous text indicating that it is an advertisement for another product, or that clicking on 'Try it Now' will lead not to the delivery of the McAfee product but rather to the purchase of a completely different product. Instead, all the visual cues suggest that 'Try It Now' is a necessary step in downloading the McAfee software.`

"By clicking on the pop-up, users agree to a $4.95 per month fee charged by Arpu, a company that creates Web ads "enabling an advertised product or service to be obtained with a single click," according to the Washington D.C. firm's Web site.

"Arpu's site lists McAfee as one of its partners...

"`A single click on the deceptive pop-up causes the purchase of an unwanted product from Arpu, a sale made without the knowledge or authorization of customers, using credit/debit card billing information that they have entrusted solely to McAfee,` said the women's lawsuit."

Friday, April 9, 2010

"For the second time in two weeks, bad networking information spreading from China has disrupted the Internet.

"On Thursday morning, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications and Telefonica.

"`There are a large number of ISPs who accepted these routes all over the world,` said Martin A. Brown, technical lead at Internet monitoring firm Renesys.

"According to Brown, the incident started just before 10 a.m. Eastern Time on Thursday and lasted about 20 minutes. During that time IDC China Telecommunication transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC China Telecommunication instead of their rightful owners.

"These networks included about 8,000 U.S. networks including those operated by Dell, CNN, Starbucks and Apple. More than 8,500 Chinese networks,1,100 in Australia and 230 owned by France Telecom were also affected.

"The bad routes may have simply caused all Internet traffic to these networks to not get through, or they could have been used to redirect traffic to malicious computers in China.

"While the incident appears to have been an accident, it underscores the weakness of the Border Gateway Protocol (BGP), a critical, but obscure, protocol used to bind the Internet together."

Thursday, April 8, 2010

"A Bank of America computer specialist is set to plead guilty to charges that he hacked the bank's automated tellers to dispense cash without recording the activity.

"Rodney Reed Caverly, of Charlotte, North Carolina, is scheduled to plead guilty to a computer fraud charge next Tuesday in federal court in Charlotte, according to his lawyer Christopher Fialko, who declined to comment further on the case.

"Caverly was charged last week with one count of computer fraud for allegedly writing a malicious program that ran on Bank of America's computers and ATMs, according to court filings. The documents say Caverly made more than the statutory minimum of US$5,000 from the scam, but they do not spell out the bank's total losses. That number could come out when his plea is entered next week.

Thursday, April 1, 2010

"Imagine a network of virus-driven computers so infectious that it could bring down the world's top 10 leading economies with just a few strokes. It would require about 100 million computers working together as one, a `botnet` -- the cybersecurity world's version of a WMD. But unlike its conventional weapons equivalent, this threat is the subject of no geopolitical row or diplomatic initiative. That's because no one sees it coming -- straight out of Africa.

"Cybercrime is growing at a faster rate in Africa than on any other continent in the world, according to statistics presented at a conference on the matter in Cote D'Ivoire in 2008. Cybersecurity experts estimate that 80 percent of PCs on the African continent are already infected with viruses and other malicious software. And while that may not have been too worrisome for the international economy a few years ago, the arrival of broadband service to Africa means that is about to change. The new undersea broadband Internet cables being installed today will make Africa no further away from New York than, say, Boston, in the virtual world.

"Broadband Internet access will allow Africa's virus and malware problems to go global. With more users able to access the Internet (and faster), larger amounts of data can be transferred both out and inward. More spam messages in your inbox from Africa's email fraudsters will be only the beginning..."